Jump to content


Photo
- - - - -

u pitt's centrex


  • Please log in to reply
7 replies to this topic

#1 skywanter

skywanter

    SCRiPT KiDDie

  • Members
  • 20 posts
  • Gender:Male
  • Location:847/412

Posted 20 January 2012 - 03:32 PM

I'm a student at pitt and have a few questions about their Centrex system that I've been poking around a bit with lately. Any documentation on such systems would be really great, I am really clueless about centrexes in general, I don't even know who made them, if they're like hosted off a switch or something, etc. The telephones in the dorms are avaya but i doubt that relates at all to the system itself; they could be any standard DTMF phone. All I know is that the centrex was installed in 1973 and it seems like very little has changed since then.

When you pick up the phone, there's no big kerplunk of what I believe to be the battery drop on a 5ESS or anything, just dialtone, but you can tell its not a digital one. The system accepts no pulse dialing at all , although if you flash on the dialtone you do get a very pronounced battery drop (I might be using this term incorrectly), and the flash itself is kind of interesting. I drew a little diagramy thing to demonstrate this one thing that happens:

normal dialone -> you hit flash -> get a burst of the same dialtone as before -> batt drop (or at least loud chk-CHK!) -> new dialtone

If you hit a digit during the "get a burst of the same dialtone as before) segment, during the new dialtone phase, the centrex will have already responded to it (so if you hit zero during the "old burst", you won't even get a dialtone during the "new dialtone" phase, just a ring to the operator). I realize this is a pretty insignificant phenomena but hey, it's 2012, and you should be damn happy there's even a soul posting here. Hopefully this could help identify the system.

Dialing plan. Here's where the most of my exploration has been so far.
I haven't mapped the entire basic dialing plan, but it's 9 to get a dialtone that will lead you to the outside, 0 for operator, * and # codes are accepted and screwy, like everything on here. I haven't done all of * yet but I have poked around #, which is listed below. Keep in mind that this portion of the dialing plan I explored from a public university phone here, and the system most certainly does distinguish between dorm and public phones. Hopefully I'll look more into this later.
#1 and #6 just give you dialtones, with their own screwy dialing plans as well. No idea.
# 2 and #3 give you a slow, triple stutter of dialtone to silence (meaning this is not a stutter dialtone, just a pseudo-dialtoneish-ring). However, they just lead to a short silence, then a batt drop (?), then a long silence that you have to hang up on to get back to the normal dialtone.
Everything else is a sirenish-tone (which serves as the system's equivalent to a busy/ro, which it gives you for screwy dials like ** or something, and the such), and there are a couple of reorders in the # portion of the dialing plan too. Any idea why they distinguish between these sirenish tones and a RO?

I just called the operator and tried to blow her off with a 2600 tone, and there's a sliver of a chance it worked. She could have just hung up one me but it seemed like I got a really fast battery drop like a second after I played the tone. I don't want to test this again because it seems to be the same one lady who works as the operator and I'm ridiculously paranoid (more on that later)

The 9- portion of the dialing plan is kind of interesting too, and once again, distinguishes between dorm and public phones.
One cool trick I've found is that from the dorm phones 9-1-412-555-1212 just gets you a sirenish tone, but if you dial 9-412-555-1212-#, you actually get verizon directory assistance. Does verizon DA just look up, and not connect you to numbers always? I asked the operator there if she could read my number back to me and she said she "didn't have it," I have no idea what this implies.
The 9- portion loves to give you stutter dialtones at weird instances, I have no idea if this is some antiquated calling card shit or what. Let me explain. From a public phone, any connecting to 412-555-1212 give you a stutter dialtone and returns a sirenish after 7 digits. Also, on dorm phones and public phones dialing any 800 number and a # at the end hits you up with a stutter dialtone, which makes me believe it's waiting for a PIN of sorts to continue.

By far the most interesting thing I've found seems to be the system's test prefix in their dialing plan, which is the super secret, incredibly hard to find, 123- dialing plan. 123 hits you up with a non-stutter dialtone with its own plan of course. Dialing 1234567 here just gives you this peculiar silence with a decent amount of old sounding backround quiet rhythmic clickish white noise.

and then there's 123-00# and 123-11#, which both give you a higher pitched sounding dialtone. I don't know if this is considered a "high tone" or not. These may be DTMF tests, but if so, I haven't found out how to work the thing. I'm famaliar with the chicagoland ringback/dtmf test which is pretty screwy in itself, but if this is indeed a dtmf test than this is way screwier. Dialing plan:

0 - a burst of silence, could be waiting for more digits if DTMF test
1,4,5,7,8,9 all give a single burst of higher-pitched (meaning higher than this subsystem's dialtone) tone the same silence as when you dial 123-1234567 from the starting dialtone
2 and 3 give a different flavor of silence, they have added on to them a louder sort of hum that seems to indicate more voltage is running through them. Possibly they're waiting for more digits but I havne't been able to find any.
*#x (except for *#0) give you two bursts of a high pitched tone followed by silence. From here you can reset to the normal high pitched dialtone of this subsystem with # (which, in other places in this subsystem, always returns you to the high pitched dialtone). *#0 just waits for something more (FUCK YOU system, why are you so confusing???)
Both different flavors of silence will respond no further no matter how many digits you put in, unless they're waiting for a specific code I haven't figured out yet.
I've tried flashing all over this and nothing happens, it doesn't seem to be have ringback capabilities.

The ANI outgoing calls on public phones give out is 412-383-6265, which is just "a nonworking number at the university of pittsburgh."

Also dunno if I mentioned this but three way calling is supported.

There's still a ton of poking around for me to do, but it so far has proved really interesting and I'm just so excited to find something as little as this in 2012. I would love to do some recording soon but I left my induction coil and recorder at home, but it'll be up by after spring break at the latest.

If you actually read all this, sorry for the often shitty wording.

The other issue I wanted to bring up with you guys is the possiblity of getting caught. If I got in even the slightest trouble with the university that my parents were notified I would be up shit creek in a second - It's fairly questionable that I should be in college in the first place with my past semester's grades and my parents would say this exact phrase in angry disbeleif: "YOU MEAN YOU'RE STILL DOING THAT PHONELOSERS STUFF?" (yes, my mom saw me on phonelosers once in middle school and freaked (phreaked) out, and still uses this term to describe phone phreaking today). Does this system have a method of raising flags and other security measuers? Practically speaking, do you think I'll get in any trouble?

Lastly, if you're ever near campus and want to play with their centrex, you can do so by just walking into the Hillm4n Library, go through the doors on the ground floor marked exit and immediately take a left into what used to be a payphone bank, there's a nice and secluded public university phone to use.

Let's get some good old-skool discussion going here! thanks for reading!

#2 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 20 January 2012 - 09:10 PM

interesting stuff -
i do not have a lot of answers for you, i will have to re-read this mess and see if i can think something up..

you should not get into much trouble unless you dial DATU numbers, ahem...and even then when you are the verizon tech who leaked the numbers it will still take verizon and the secret service over two years to figure it out and come after you.. ahem.. or if you are making bomb threats... people tend to forget about phone security, and unless you are running up their phone bill with 900 calls or international calls i really do not think that they are going to pay much attention to you playing around with the phone..

#3 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,228 posts
  • Gender:Male

Posted 20 January 2012 - 09:18 PM

When you pick up the phone, there's no big kerplunk of what I believe to be the battery drop on a 5ESS or anything, just dialtone, but you can tell its not a digital one. The system accepts no pulse dialing at all , although if you flash on the dialtone you do get a very pronounced battery drop (I might be using this term incorrectly), and the flash itself is kind of interesting


I can probably go record one later, but that sounds like a characteristic Avaya behavior; a lot of their PBXes don't support pulse dialing, but they'll interperate a short flash as you hanging up and picking up again. In some situations, they have some form of sorcery going on where a flash isn't even generated by a switchhook. My guess is it has something to do with the extra pair that analog PBX extensions occasionally get.

but hey, it's 2012, and you should be damn happy there's even a soul posting here


You're new to binrev, aren't you? :p

One cool trick I've found is that from the dorm phones 9-1-412-555-1212 just gets you a sirenish tone


Did it sound anything like 301-999-9999? Or like this? Both very Avaya-y tones. Congrats on finding a way around the toll restriction in any event.

and then there's 123-00# and 123-11#, which both give you a higher pitched sounding dialtone


Did it sound anything like this? http://thoughtphreak.../avayadisa.flac

By all means, please do record anything you hear, particularly in the 123- prefix, but keep in mind that despite the year, things of this nature really aren't all that unusual. Be thankful instead that the phone network is as interesting as it is; a little bit of curiosity always goes a long way.

The other issue I wanted to bring up with you guys is the possiblity of getting caught. If I got in even the slightest trouble with the university that my parents were notified I would be up shit creek in a second - It's fairly questionable that I should be in college in the first place with my past semester's grades and my parents would say this exact phrase in angry disbeleif: "YOU MEAN YOU'RE STILL DOING THAT PHONELOSERS STUFF?" (yes, my mom saw me on phonelosers once in middle school and freaked (phreaked) out, and still uses this term to describe phone phreaking today). Does this system have a method of raising flags and other security measuers? Practically speaking, do you think I'll get in any trouble?


If this is primarily Avaya equipment as I'm thinking, yes, it does have a way of alerting the administrator if there's a problem. Wherever it's located, there's either a printer, a console, or both that'll print messages out whenever there's anything it deems unusual activity. This is more or less centered around finding hardware failures, though, so if you're doing anything the PBX thinks is a malfunction frequently from the same extension, the administrator may call you and ask if you're having trouble making calls.

Having as good understanding of phreaking as they do, most PBX manufacturers have very little in the way of logging designed to catch curious people. Typically, the only thing you'll have to worry about is excess failed login attempts on a mailbox or fraud - neither of which it looks like you're too intent on. If they were to talk to you about the directory assistance calls, they'd probably just ask you to pay for them, or in the worst case scenario, maybe take your phone away. A college is an institution that's supposed to prepare you to be successful and self-sufficient. If they flip shit to your parents over a couple of directory assistance calls, you probably should be going someplace else anyway.

EDIT: I happened to be near an Avaya PBX not too long ago, so here's a recording of me picking up and hanging up - once moderately slowly, and once short enough to be considered a dialpulse digit. Lemme know if this is the pronounced sound you speak of; http://thoughtphreak...vaya_flash.flac

Edited by ThoughtPhreaker, 21 January 2012 - 06:58 PM.


#4 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,660 posts
  • Gender:Male

Posted 22 January 2012 - 11:15 PM

On getting caught and the university doing something: as long as you're over 18, it's illegal for them to contact your parents regarding anything, unless you signed a waiver agreeing to allow the university to do so. If your parents made you sign the waiver, you can go to the university and ask them to destroy it. "I'm (his/her) parent, give me their grades!" doesn't work anymore.

#5 skywanter

skywanter

    SCRiPT KiDDie

  • Members
  • 20 posts
  • Gender:Male
  • Location:847/412

Posted 26 January 2012 - 07:23 AM

Thoughtphreaker - Thanks! that really does mean a lot, and I'm actually pretty proud of it myself, I've only had a small handful of phreaking accomplishments in my lifetime in addition to this. So yeah, it seems like it's definitely an avaya system, that tone you posted is exactly it. I wasn't able to listen to the audio you posted in your edit for some reason, but I'm sure it just confirms that it's an avaya sytem. I'll have to do more exploring of the 123 prefix soon and I'm sure I'll find some way to record it. It's also really nice to actually be told exactly what a system like this has in terms of security - I had always imagined something with... more common sense. oh, almost forgot, there is certainly no sorcery with any of the extra pairs going on with this system, as all the phone's i've come across only have the lone pair to begin with.

And systems_glitch and nyphonejacks, thanks for the info about getting caught, now I can sleep easy at night knowing there's no Tom Duffy after me. oh, nypj, Do DATUs even still exist? didn't they "change the passwords" on all of them anyway?

Edited by skywanter, 26 January 2012 - 07:36 AM.


#6 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 26 January 2012 - 04:56 PM

. oh, nypj, Do DATUs even still exist? didn't they "change the passwords" on all of them anyway?

they changed the passwords TWICE ;)

the first time most of them were on default passwords like 1111
the second time when they changed the phone numbers and passwords.. not sure why any charges were brought up because evidence shows that the passwords were not released..

last time i heard about any DATU info was about a year or two ago from a VZ tech... at that time they had gotten security right for a change, using a toll free number, and requiring a 2 part password.. one identifying the tech, and the other the actual password (do not remember if they included the securID in with the security, but i do not think that they did) after the 2nd time techs pretty much stopped using DATU as often and called into the CO for most of the tests that DATU provided.. so depending on how you look at it, it either made tech's jobs more difficult, or provided more job security for COTs

#7 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,228 posts
  • Gender:Male

Posted 11 July 2012 - 03:58 AM

BUMP!

Somebody brought up U Pitt in a phreaking conversation earlier, so I started poking about a little. The great thing about universities is they always have something on their webpage about the PBX - and centrex in this case. U Pitt was awesome enough to actually list the model numbers of the phones on their website of all things. http://technology.pi...ces/phones.html

The 2410 and 2420 are some of Avaya's more recent digital sets, I think they use the same exact protocol as the phone in the banner. I can't say for certain, but I've seen all three run out of the same PBX before.

As for the 6210, the manual says it's more of a vanilla ISDN phone. It supports NI-1 and 5ESS flavors, and the phone request form says they'll only hand it out for centrex extensions.

The voicemail system is a third party retrofit designed by a company called Avst. In a nutshell, the software - Callxpress, is just a Windows machine with a Dialogic card or two. All the support documents say it's designed to interface with a ton of different PBXes and centrex standards, so consolidation might explain why it got installed.

If you're like to read up on it, they have some kind of training course where people can pay an asston of money to install it in a classroom. Part of the deal is they pass out training PDFs, which seem to have made their way into an open directory of all things. http://hcwt.com/avst/

The training documents are the ones starting with CXSW.

By the way, I don't know how much this'll help, but the voicemail page mentions 412-624-0003 is it's access number. Might be a good place to start if you're into scanning :) .

EDIT: I almost forgot to mention, there's three other campuses with different phone systems - one of them I can say for sure is Avaya, but none of them look to be interconnected. Dialing an off-premise extension will get you either a recording telling you to use an outside line, or a VMS saying it's not valid, depending on where you try it from.

Edited by ThoughtPhreaker, 11 July 2012 - 04:01 AM.


#8 JmanA9

JmanA9

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 436 posts
  • Location:NPA 724

Posted 18 July 2012 - 07:42 PM

Pitt's website lists *2 as the code to activate Call Forwarding. I've never seen a centrex use anything other than the standard *72.




BinRev is hosted by the great people at Lunarpages!